When hovering over a website link in Google search the tooltip says the link of the website (stackoverflow.com). But when I click it it goes to some Google page and then StackOverflow. But now if I go back to the Google search tab the tooltip has the Google URL.
How does Google do this? And is it is possible for any website to do it which can be used maliciously?
If you look at the page source, there is a JavaScript function rwt() executed on onmousedown event.
<a href="http://security.stackexchange.com/"
onmousedown="return rwt(this,'','','','1','AFQjCNHano0MrEGop-Wp0eV_bNhmdh7OtQ','H4np7JuYNqsCuTIjB-78Eg','0ahUKEwjzldecwZfNAhWEVxoKHX8OAnwQFggdMAA','','',event)">
Information Security Stack Exchange</a>
It rewrites the href for the link you click on (you can even see the change if you click and hold the button).
<a href="https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwjzldecwZfNAhWEVxoKHX8OAnwQFggdMAA&url=http%3A%2F%2Fsecurity.stackexchange.com%2F&usg=AFQjCNHano0MrEGop-Wp0eV_bNhmdh7OtQ&sig2=H4np7JuYNqsCuTIjB-78Eg"
onmousedown="return rwt(this,'','','','1','AFQjCNHano0MrEGop-Wp0eV_bNhmdh7OtQ','H4np7JuYNqsCuTIjB-78Eg','0ahUKEwjzldecwZfNAhWEVxoKHX8OAnwQFggdMAA','','',event)">
Information Security Stack Exchange</a>
So technically it's changing the contents of the page on user action. Browsers display the tooltip according to current value.
Any party can do that with JavaScript.
Turn off JavaScript in your browser and Google will provide the results on a page where all destination links are real.
